Latest News / The Expert view: How to identify and prioritise security risks

Latest News / The Expert view: How to identify and prioritise security risks

The Expert view: How to identify and prioritise security risks

9 July 2018
| Author: Shane Richmond

Welcoming attendees to a Business Reporter Breakfast Briefing at the Goring Hotel in London, Ray Ottey, from Verizon, emphasised the need for information security and risk professionals to be able to translate operational risk into meaningful business data. There remains a gap between technologists and the rest of the business that must be bridged, he told the roomful of senior security and risk professionals from a range of industries.

Justin Coker, of Skybox, echoed his comments, saying that with thousands of vendors competing for attention, it is easy for companies to overlook people and process. Also he mentioned most organisations don’t have an accurate and up-to date holistic view of their IT estate and information assets and how they are all inter-connected.

Assessing the assets

The first step in identifying and prioritising security risks is to determine what you are protecting and from whom. An organisation that runs several hospitals will have different data concerns and risks than a bank, for example.

Doing this effectively means understanding the business, how it operates and what it plans to do next. An experienced security professional will understand this already but it’s good to go through this part of the process in liaison with the business.

Then you can determine the ‘crown jewels’ – the things that must be protected at all costs – followed by important but non-critical data, all the way down to the data you aren’t concerned about. Then you can get a sense of the organisation’s risk appetite. Do they literally mean “at all costs” when it comes to protecting the crown jewels? Does that everyday data truly not need much protection? And so on.

Sorting risk from vulnerabilities

There are vulnerabilities and risks and, attendees pointed out, these are not the same. A vulnerability is not a risk if there is a very low chance of anyone exploiting it or, if exploiting it would have very little impact. Each organization has thousands of vulnerabilities, said an attendee from a major bank, but most are unimportant.

Many vulnerabilities come from third parties, and it can often be difficult to determine the level of risk on these because it’s outside the customer’s control.

‘Cyber’ itself is also not a risk. It’s a medium for, or an amplifier of, familiar risks. Cyber-fraud is still fraud, for example. Helping the business to understand this can clear up a lot of confusion. Indeed, one attendee said that his company had combined physical and cyber risks when presenting risk to the board because this helped them to better grasp that the two should be viewed equally.

A thorough risk assessment will determine which vulnerabilities really are risks, as well as giving some sense of what needs to be done to mitigate them. Some attendees said they conducted a risk assessment every six months, but others reported a trend to carry them out more frequently because of the increasing pace of change.

Prioritise risk

All attendees agreed that prioritising risk is the difficult part. Yes, it’s simple to put risks affecting the ‘crown jewels’ at the top but how do you compare radically different types of risk, or vulnerabilities that could turn into risks in certain circumstances but probably won’t?

Attendees said they deal with this in several ways. One is to compare how much it would cost the business if a risk led to a breach with how much the area affected brings in to the business. A risk that affects an area of major revenue should clearly be considered highly important. A risk carrying costs that significantly outweigh revenue, for example, might suggest an area the business doesn’t need to be in.

Some attendees said they had devised a scale that made it easier to compare different types of risk and they recommended this as an approach to prioritisation.

Others advocated learning from other sectors. One said that he was using health and safety as an inspiration for measures such as recording near misses and carrying out regular drills, from ethical hacking to phishing tests. Another pointed to the lesson of the engineering industry, which had vastly increased the speed and cut the cost of building aircraft, cars and other products using modelling. Turning this approach to security and creating a model of the security estate can be one way to measure, prioritise and monitor evolving risk.

Once you have a priority, that needs to be set against the company’s risk appetite so the business knows how much it will cost to meet it. One attendee, from the banking sector, said that at this point it becomes very simple: if the company is not willing to pay what it will cost to meet their risk appetite then the appetite must change.

Throughout this process, all attendees agreed, security experts must work closely with the business and work hard to communicate in a language that they can understand.

A central theme running through the briefing was that technologists must identify and prioritise risk in liaison with the rest of the business. Though cyber risk is often stereotyped as a technology problem, it is ultimately a people and process problem. Understanding that is the only way to successfully manage risk.

Assessing the assets

The first step in identifying and prioritising security risks is to determine what you are protecting and from whom. An organisation that runs several hospitals will have different data concerns and risks than a bank, for example.

Doing this effectively means understanding the business, how it operates and what it plans to do next. An experienced security professional will understand this already but it’s good to go through this part of the process in liaison with the business.

Then you can determine the ‘crown jewels’ – the things that must be protected at all costs – followed by important but non-critical data, all the way down to the data you aren’t concerned about. Then you can get a sense of the organisation’s risk appetite. Do they literally mean “at all costs” when it comes to protecting the crown jewels? Does that everyday data truly not need much protection? And so on.

Sorting risk from vulnerabilities

There are vulnerabilities and risks and, attendees pointed out, these are not the same. A vulnerability is not a risk if there is a very low chance of anyone exploiting it or, if exploiting it would have very little impact. Each organization has thousands of vulnerabilities, said an attendee from a major bank, but most are unimportant.

Many vulnerabilities come from third parties, and it can often be difficult to determine the level of risk on these because it’s outside the customer’s control.

‘Cyber’ itself is also not a risk. It’s a medium for, or an amplifier of, familiar risks. Cyber-fraud is still fraud, for example. Helping the business to understand this can clear up a lot of confusion. Indeed, one attendee said that his company had combined physical and cyber risks when presenting risk to the board because this helped them to better grasp that the two should be viewed equally.

A thorough risk assessment will determine which vulnerabilities really are risks, as well as giving some sense of what needs to be done to mitigate them. Some attendees said they conducted a risk assessment every six months, but others reported a trend to carry them out more frequently because of the increasing pace of change.

Prioritise risk

All attendees agreed that prioritising risk is the difficult part. Yes, it’s simple to put risks affecting the ‘crown jewels’ at the top but how do you compare radically different types of risk, or vulnerabilities that could turn into risks in certain circumstances but probably won’t?

Attendees said they deal with this in several ways. One is to compare how much it would cost the business if a risk led to a breach with how much the area affected brings in to the business. A risk that affects an area of major revenue should clearly be considered highly important. A risk carrying costs that significantly outweigh revenue, for example, might suggest an area the business doesn’t need to be in.

Some attendees said they had devised a scale that made it easier to compare different types of risk and they recommended this as an approach to prioritisation.

Others advocated learning from other sectors. One said that he was using health and safety as an inspiration for measures such as recording near misses and carrying out regular drills, from ethical hacking to phishing tests. Another pointed to the lesson of the engineering industry, which had vastly increased the speed and cut the cost of building aircraft, cars and other products using modelling. Turning this approach to security and creating a model of the security estate can be one way to measure, prioritise and monitor evolving risk.

Once you have a priority, that needs to be set against the company’s risk appetite so the business knows how much it will cost to meet it. One attendee, from the banking sector, said that at this point it becomes very simple: if the company is not willing to pay what it will cost to meet their risk appetite then the appetite must change.

Throughout this process, all attendees agreed, security experts must work closely with the business and work hard to communicate in a language that they can understand.

A central theme running through the briefing was that technologists must identify and prioritise risk in liaison with the rest of the business. Though cyber risk is often stereotyped as a technology problem, it is ultimately a people and process problem. Understanding that is the only way to successfully manage risk.